Analysis of Anti-Hacking Software PunkBuster:

How to Stop Cheating in Online Games

David Nichols
Background
Online gaming has readily increased in popularity
over the past decade, becoming one of the most
popular forms of gaming today
With this increase in popularity the need for security
has grown, as the player base becomes more and
more diverse
Proper network security has become essential
Not only to prevent cheating
But also to protect users personal information
Debate has risen over who should provide security
Publishers, Users, or Third Parties
Design Decisions
When designing a online game the publishers
must choose between a number of trade offs
Efficiency and Accessibility vs. Security
Secure private servers vs. P2P
As both technological and economic have
evolved so has game design
Shift from privately hosted servers to public P2P
models
Significantly cheaper and more expandable
P2P Network Design
Host
(client or admin)
Client
Client
Client
Client
Client
Client
Client
Client
Popular Security Mechanisms
Checksums
Check client data for integrity via checksums
Can be forged
Check client data against game rules
Many cheats can be sent within the rules
Unique Database Structures
Admins/Game Managers
These security measures dont stop many types
of attacks
How Cheating Works
Most of these cheats are based on weaknesses in the client-server
model
Clients and even admins cant be trusted
Changes to the game code
Game code generally in binary
Can be decoded
Data files not in binary
Can change software (wallhack) or game state in memory (inf. ammo)
Outside programs performing game actions
Turbo function and action scripts
Modify personal computers system software
Change graphics driver to render all objects
Packet Manipulation
Change packets being sent out (aimbot)
Use private data from client packets (wallhack)
Delay packets (slow time or retroactively act)
Two Main Types of Cheating
Computer based attacks Improper Usage
Aimbot
Use client info to aim
Modify code for dmg
Artificial lag/Flood attacks
Attack physical device
Look-ahead
Forge time stamp
Physics hacking
Remove collision detection
Altering game elements
Server override or
impersonation
Extrasensory perception
Display client info on screen

Turbo
Environmental exploits
Ghosting
Improper settings
Scripting
Collaboration
PunkBuster
Created and first implemented in 2000 by Tony
Ray to stop cheating in Castle Wolfenstein
Owned by Even Balance, Inc.
Subsequently used in numerous online shooters
Built around client-server model
Installed on both clients and servers
Constantly communicates with Even Balances
master servers
Designed to scan for cheating computers and
then ban them from protected servers/games
PunkBusters Implementation
Each admin server requires its own unique directory
Two main components of PunkBuster:
PunkBuster Server (runs on game servers)
password protected
PunkBuster Client (runs on players' playing machines while they play the
game)
If admin PB not up-to-date all players notified
If client PB not up-to-date player not allowed to join
Frequent status reports (encrypted) are sent to the PunkBuster
Server by all players
Violations cause player to be kicked and all others notified
Admins can manually kick players
For a specific number of minutes or permanently
Can be bypassed by altering time stamp
Player power facility allows games to run without admin
PunkBusters Security Features
Real-time memory scanning
Uses Windows API functions and heuristic searches
Communicates over games internet connection
To avoid firewall
Uses UDP ports 24300-24399 to communicate
Throttled two-tiered background auto-update system
with master servers
Provide end-user security
Ensure no corrupted or false updates on user PC
Guarantees update integrity
Uses digital signatures provided by Verisign (Authenticode)
Updates validated by master servers based on security info
Prevents Admins from using PB to send viruses

PunkBusters Security Features
Can request partial MD5 hashes of files inside the
game installation directory
Results compared against a default config
Calculate differences and ban if necessary
Admin search functions
To check players key bindings and scripts for cheats
Stream PB server logs to other locations
Allows for the creation of universal banned lists
Random player settings checks
Cvar checking
A number that represents game settings, must be in
admins range
PunkBusters Security Features
User Authentication
Use digital signatures
Happens continuously through game (2-3 per minute minimum)
Screenshot Requests
Admin can request screenshot samples from players
Or can be done randomly
Can block screenshots (black screen) or erase visible hacking
Reflected in RecentSS value, visible to all players, prevents admins from cheating
Hardware bans
Ban hardware components used to circumvent PB
Uses hard drive ID and other undisclosed components
Use multiple private one-ways hashes in order to protect the confidentiality of
users serial number info
Use GUID (Globally Unique Identifier) to ID users
Based on game installation
128 bit one-way hash generated from CD-key
Encrypted
GUID bans
Attacks on PunkBuster
Battlefield 3 Game discontented you were kicked by
PunkBuster error
Attackers used GUID scanner to duplicates of users GUID
Used security loophole to ban players
IRC mass false positives
Because PB scans all virtual memory, attackers uploaded
text fragments from cheat programs on popular IRC
channels
PB would see malicious text in channel clients text buffers
and ban them
Incompatibility issues with:
Steam, non-windows admins, 64-bit clients, and some
Firewalls


Criticisms
Heavily uses users network, causing lag
Hogs bandwidth
Puts heavy pressure on users PC processors
Slowing down or overheating some PCs
Even Balance, the company, has too much power
Judge, Jury, and Executioner
Permanent bans based solely on their digression, not
controlled by publishers
Invasion of privacy
Screenshots, program lists, memory scans, hardware
info, IP addresses, and other personal security info
Still doesnt stop all cheating/attacks